BARTON 

October 3, 2018 


VIA LLLCIKOMC SUBMISSION 

Maryland Attorney General's Office 
Attorney General, Brian Frosh 
Consumer Protection Division 
200 St. Paul Place 
Baltimore, MD 21202 
E-Mail: consumer@oatt.state.md .us 

Re: Notifica tion of Data Security Incident 


ATTORNEYS AT LAW 


Graybar Building 
420 Lexington Avenue 
New York, NY 10170 

(212)687.6262 Office 
(212)687.3667 Fax 

bartonesq.com 


Dear Attorney General Frosh: 

We represent Fellen and Fellen LLC, a New Jersey law firm (“ Fellen ”). in connection with a recent data 
security incident which is described in greater detail below. Fellen takes the security and privacy of personal 
information very seriously and is taking steps to prevent a similar incident from occurring in the future. 

1. Nature Of The Security Incident. 

Fellen has discovered, in an investigation completed in September, that one of its staff had clicked on a link 
contained in a “phishing” email, through which a malicious, unknown, third party was able to send out and 
create a rule that redirected emails to the malicious actor’s repository. Through these emails, the 
unauthorized third party was able to access certain contacts’ personal information, possibly including 
information of one Maryland resident. Fellen’s forensic research has not uncovered any evidence that such 
personal information has been misused as a result of this incident. 

2. Number Of Maryland Residents Affected. 

Following the issuance of this letter, Fellen will notify the one Maryland resident affected by this data 
security incident. A sample copy of the notification letter is attached hereto. 

3. Steps Taken Relating To The Incident. 

Fellen has taken affirmative steps to prevent a similar situation from arising in the future and to protect the 
privacy and security of all personal information. These steps have included working with a forensics firm to 
ensure that this type of event does not re-occur. Fellen’s forensic analysts have advised us that the problem has 
been resolved in that the affected hard drive containing the malware and the information systems have been 
inspected for additional malware, and no remaining malware was found in Fellen’s systems. In addition, Fellen 
is offering the affected individuals one (1) year of credit monitoring through Experian at no charge to the 
affected individual. 



4. 


Contact Information. 


Fellen is dedicated to protecting the sensitive information that is in its control. If you have any questions or 
need additional information, please do not hesitate to contact me at (212) 885-8836, or by e-mail at 
Krashbaum@bartonesq.com 

- 

Kenneth N. Rashbaum 
Barton LLP 

Enclosure 

Cc: Linda Fellen, Esq. 




FELLEN AND FELLEN LLC 
21 Kilmer Drive 
Building 2, Suite G 
Morganville, NJ 07551 


October 3, 2018 
[Recipient] 


RE: Important Security Notification 

PLEASE READ THIS ENTIRE LETTER. 

Dear [Recipient]: 

We are contacting you regarding reports we received regarding about a data security incident at Fellen & Fellen, 
for which a forensic investigation was completed in September. The investigation revealed that certain emails 
were appropriated by an unauthorized user due to the security incident, and your personal information, including 
your name, address, email, financial information including Social Security Number, phone number and other 
identifying information, if the foregoing were ever sent to us via email, that may have been exposed to the 
unauthorized user. As a result, your personal information may have also been exposed to others. Please be 
assured that we have taken every step necessary to address the incident. 

We have worked diligently, with the assistance of third party forensic cyber security investigators, to identify the 
source of the breach, which was isolated to one account in our email system, identify any vulnerabilities in our 
email systems, and to strengthen our security measures to protect information in our possession. Our third party 
forensic investigators have determined the full nature and scope of this incident and have remediated the 
intrusion. To date, we have received no information that any client’s identifying information was used to create 
unauthorized accounts or to make unauthorized purchases 

What we are doing to protect your information: 

To help protect your identity, we are offering a complimentary 1 year membership of Experian’s® 

Identity Works'™ product. This product provides you with superior identity detection and resolution of identity 
theft. To activate your membership and start monitoring your personal information please follow the steps 
below: 

• Ensure that you enroll by: (Your code will not work after this date.) 

• Visit the Experian IdentityWorks website to enroll: htt ps://www .expcrianid wor ks.co m/ 3bplus 

• Provide your activation code: 

If you have questions about the product, need assistance with identity restoration or would like an alternative to 
enrolling in Experian IdentityWorks online, please contact Experian’s customer care team at 877-890-9332 by 

_. Be prepared to provide engagement number_as proof of eligibility for the identity restoration 

services by Experian. 



ADDITIONAL DETAILS REGARDING YOUR {12-MONTH} EXPERIAN IDENTITYWORKS 

MEMBERSHIP: 


A credit card is not required for enrollment in Experian Identity Works. 

You can contact Experian immediately regarding any fraud issues, and have access to the following features 
once you enroll in Experian IdentityWorks: 

■ Experian credit report at signup: See what information is associated with your credit file. Daily 
credit reports are available for online members only.* 

■ Credit Monitoring: Actively monitors Experian, Equifax and Transunion files for indicators of fraud. 

■ Identity Restoration: Identity Restoration specialists are immediately available to help you address 
credit and non-credit related fraud. 

■ Experian IdentityWorks ExtendCARE IM : You receive the same high-level of Identity Restoration 
support even after your Experian IdentityWorks membership has expired. 

■ Up to SI Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized 
electronic fund transfers. 

If you believe there was fraudulent use of your information and would like to discuss how you may be able to 
resolve those issues, please reach out to an Experian agent at 877-890-9332. If, after discussing your situation 
with an agent, it is determined that Identity Restoration support is needed, then an Experian Identity Restoration 
agent is available to work with you to investigate and resolve each incident of fraud that occurred (including, as 
appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in 
placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting 
government agencies to help restore your identity to its proper condition). 

Please note that this Identity Restoration support is available to you for one year from the date of this letter and 
does not require any action on your part at this time. The Terms and Conditions for this offer are located at 
www.Experia nl DWork s.c om/res toration. You will also find self-help tips and information about identity 
protection at this site. 

We sincerely apologize for this incident and regret any inconvenience it may cause you. Should you have 
questions or concerns regarding this matter, please do not hesitate to contact us at: info@fellenlaw.com. 

Sincerely, 


Linda Fellen 
Managing Member 


* Offline members will be eligible to call for additional reports quarterly after enrolling 

** Identity theft insurance is underwritten by insurance company subsidiaries or affiliates of American International Group, Inc. (AIG). 
The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and 
exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may 
not be available in all jurisdictions 



Reference Guide 

The following tools and resources are available to you in addition to the services that we are 
providing at no cost to you: 

Order Your_Free Credit Report. To order your free credit report, visit 

www.annualcreditreport.com, call toll-free at 1-877-322-8228, or complete the Annual Credit 
Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at 
www.consumer.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, 
Atlanta, GA 30348-5281. The three consumer reporting agencies provide free annual credit reports 
only through the website, toll-free number or request form. 

When you receive your credit report, review it carefully. Look for accounts you did not open. 
Look in the “inquiries” section for names of creditors from whom you haven’t requested credit. 
Some companies bill under names other than their store or commercial names. The consumer 
reporting agency will be able to tell you when that is the case. Look in the “personal information” 
section for any inaccuracies in your information (such as home address and Social Security 
number). If you see anything you do not understand, call the consumer reporting agency at the 
telephone number on the report. Errors in this information may be a warning sign of possible 
identity theft. You should notify the consumer reporting agencies of any inaccuracies in your 
report, whether due to error or fraud, as soon as possible so the information can be investigated 
and, if found to be in error, corrected. If there are accounts or charges you did not authorize, 
immediately notify the appropriate consumer reporting agency by telephone and in writing. 
Consumer reporting agency staff will review your report with you. If the information can’t be 
explained, then you will need to call the creditors involved. Information that can’t be explained 
also should be reported to your local police or sheriffs office because it may signal criminal 
activity. 

Report Incidents. If you detect any unauthorized transactions in a financial account, promptly 
notify your payment card company or financial institution. If you detect any incident of identity 
theft or fraud, promptly report the incident to law enforcement, the FTC and your state Attorney 
General. If you believe your identity has been stolen, the FTC recommends that you take these 
steps: 

• Place an initial fraud alert. 

• Order your credit reports. 

• Create an FTC Identity Theft Affidavit by submitting a report about the theft at 
http://www.ftc.gov/complaint or by calling the FTC. 

• File a police report about the identity theft and get a copy of the police report or the report 
number. Bring your FTC Identity Theft Affidavit with you when you file the police report. 

Your Identity Theft Report is your FTC Identity Theft Affidavit plus your police report. You may 
be able to use your Identity Theft Report to remove fraudulent information from your credit report, 
prevent companies from refurnishing fraudulent information to a consumer reporting agency, stop 
a company from collecting a debt that resulted from identity theft, place an extended seven-year 
fraud alert with consumer reporting agencies, and obtain information from companies about 
accounts the identity thief opened or misused. You can contact the FTC to learn more about how 
to protect yourself from becoming a victim of identity theft and how to repair identity theft: 


Federal Trade Commission Consumer Response Center 

600 Pennsylvania Avenue, N W 
Washington, DC 20580 
1-877-IDTHEFT (438-4338) 
www.ftc.gov/idtheft 

Placing a Fraud Alert on You r Credit File. You may place a fraud alert on your credit file. A 
fraud alert helps protect you against the possibility of an identity thief opening new credit accounts 
in your name. When a merchant checks the credit history of someone applying for credit, the 
merchant gets a notice that the applicant may be the victim of identity theft. The alert notifies the 
merchant to take steps to verify the identity of the applicant. You can place a fraud alert on your 
credit report by calling any one of the toll-free numbers provided below. You will reach an 



consumer reporting agencies. For more information on fraud alerts, you also may contact the FTC 
as described above. 


Equifax 

Equifax Credit Information 

Services, Inc. 

P.O. Box 740241 

Atlanta, GA 

30374 

1-800-525-6285 

www.equifax.com 

Experian 

Experian Inc. 

P.O. Box 9554 

Allen, TX 

75013 

1-888-397-3742 

www.experian.com 

TransUnion 

TransUnion LLC 

P.O. Box 2000 

Chester. PA 19022-2000 

1-800-680-7289 

www.transunion.com 


Phicim' a Security Freeze on Your Credit File. You may place a “security freeze” (also known 
as a “credit freeze”) on your credit file. A security freeze is designed to prevent potential creditors 
from accessing your credit file at the consumer reporting agencies without your consent. There 
may be fees for placing, lifting, and/or removing a security freeze, which generally range from 
$5-$20 per action. Unlike a fraud alert, you must place a security freeze on your credit file at each 
consumer reporting agency individually. For more information on security freezes, you may 
contact the three nationwide consumer reporting agencies or the FTC as described above. As the 
instructions for establishing a security freeze differ from state to state, please contact the three 
nationwide consumer reporting agencies to find out more information. 

The consumer reporting agencies may require proper identification prior to honoring your request. 
For example, you may be asked to provide: 

• Your full name with middle initial and generation (such as Jr., Sr., II, III) 

• Your Social Security number 

• Your date of birth 

• Addresses where you have lived over the past five years 

• A legible copy of a government-issued identification card (such as a state driver’s license 
or military ID card) 

• Proof of your current residential address (such as a current utility bill or account 
statement). 


